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Vulnerability Report 
August 15, 2021 


Realtek AP-Router SDK Advisory 
(CVE-2021-35392/CVE-2021-35393/CVE-2021-35394/CVE-2021-35395) 


Release Date 
2021/08/15 

Affected Projects 
Realtek AP-Router SDK 


Affected Versions 

rtl819x-SDK-v3.2.x Series 

rtl819x-SDK-v3.4.x Series 

rtl819x-SDK-v3.4T Series 

rtl819x-SDK-v3.4T-CT Series 

rtl819x-eCos-v1.5.x Series GZ 


CVE ID 
CVE-2021-3539 
CVE-2021-35393 
CVE-2021-35394 
CVE-2021-35395 


Description 

On some Realtek Jungle SDK based routers, potential memory corruption vulnerabilities in some 
services may cause their denial of the service. 

© CVE-2021-35392/CVE-2021-35393 

The ‘WiFi Simple Config’ server (wscd) that implements both UPnP and SSDP protocols is 
vulnerable to a stack buffer overflow (CVE-2021-35393) due to unsafe parsing of the UPnP 
SUBSCRIBE/UNSUBSCRIBE Callback header, and also a heap buffer overflow (CVE-2021-35392) 
due to unsafe crafting of SSDP NOTIFY messages from received M-SEARCH message’s ST header. 
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© CVE-2021-35394 

The ‘UDPServer’ MP tool is affected by multiple buffer overflow vulnerabilities and an arbitrary 
command injection vulnerability, due to insufficient legality detection on commands received from 
clients. 

© CVE-2021-35395 

The HTTP web server ‘boa’ (go-ahead has been obsoleted) is vulnerable to multiple buffer overflows 
due to unsafe copies of some overly long parameters submitted in the form, such as 

- unsafe copy of ‘submit-url’ parameter in formRebootCheck/formWsc/formWlanMultipleAP 

- unsafe copy of ‘ifname’ parameter in formW1SiteSurvey 

- unsafe copy of ‘hostname’ parameter in formStaticDHCP 


- unsafe copy of ‘peerPin’ parameter in formWsc 


Vulnerability Type 
Buffer Overflow 


Attack Type 
Network 


Access Vector 


Crafting overly long or invalid arguments in a specific request. 


Security Risk 
High 


Patch 


© CVE-2021-35392/CVE-2021-35393/CVE-2021-35394 
20210622 sdk 3.2.3 wsc_binary_and_ mp daemon_patch.tar.gz 


20210622 sdk 3.4.11E wsc_binary_and_mp_daemon_patch.tar.gz 


20210705 _sdk-v3.4t_preS_wsc_binary_and_mp_daemon_patch.tar.gz 


20210622 sdk-v3.4t_pre7_wsc-upnp-mp.tgz 
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20210701_ecosV1.5.3_patch _for_fixing_vulnerabiits.tar.gz 


© CVE-2021-35395 
20210608_release_v3.2.3_patch _for_fix_buffer_overflow_of_boa.tar.gz 


20210608_release_v3.4.11_patch for fix_buffer_overflow_of_boa.tar.gz 
20210608 release _v3.4T-CT_patch_for fix_buffer_overflow_of_boa.tar.gz 
20210701 _ecosV1.5.3_patch_for_ fixing vulnerabiits.tar.gz 
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